Subscribe to our Threatpost Today newsletter

Join thousands of people who receive the latest breaking cybersecurity news every day.

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

*

*

I agree to my personal data being stored and used to receive the newsletter

*

I agree to accept information and occasional commercial offers from Threatpost partners

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

OPM Breach Dates Back to December

The attack on the Office of Personnel Management that was disclosed earlier this month began as early as December 2014 and likely was the end result of a social engineering attack that enabled the hackers to gain valid user credentials and move around OPM’s network.

During a hearing on Capitol Hill Tuesday to address the hack and its fall-out, members of the House Committee on Oversight and Government Reform grilled OPM officials and IT executives about the breach and why the department had failed to implement many security defenses. Much of the hearing focused on the question of what information was stolen, why the data wasn’t encrypted, and why the OPM hadn’t been able to shore up its defenses, as recommended in a report from the Office of the Inspector General last year.

That report found a number of deficiencies in OPM’s security infrastructure, including the existence of several unauthorized systems, the lack of a mature vulnerability scanning program, and systems that aren’t connected to its security monitoring application. The report also took issue with the department’s lack of two-factor authentication for employee access. OPM has since added 2FA in some places, but the improvements did not placate the members of the committee.

Katherine Archuleta, director of the OPM, said that protecting user data was her highest priority, and that the IT staff had been working on implementing the changes recommended in the OIG report. Rep. Jason Chaffetz (R-Utah), chairman of the committee, said the changes weren’t nearly enough.

“You have completely and utterly failed, if that was your mission,” Chaffetz said.

The OPM breach came to light in early June, but department officials said in the hearing that the attack apparently began in December 2014. The attackers had access to personal information contained in security clearance background checks for millions of federal employees, and OPM officials said they believe the data was, in fact, removed from the network by the attackers.

“We concluded with a high probability that the data was exfiltrated by the adversary,” said Andy Ozment, assistant secretary, Office of Cybersecurity and Communications, National Program Preparedness Directorate, at the Department of Homeland Security, which helped investigate the breach.

The attack so far has affected more than four million people, but OPM officials said it’s possible that number could climb as the investigation continues. One of the key points of contention in the hearing was the revelation that the data stolen in the breach was not encrypted. Ozment said that encryption would not have made a difference in this case because the attackers were able to obtain valid user credentials that gave them access to the data.

Donna Seymour, CIO of the OPM, said during the hearing that the department was in the process of implementing database encryption, but there were still some hurdles.

“OPM has procured the tools for database encryption and we’re in the process of applying those tools, but some of the legacy systems may not be capable of accepting encryption,” she said.

Seymour also said that the age of the OPM’s network infrastructure is a factor in the difficulties the department has had with security.

“A lot of our systems are aged and implementing these tools takes time and a lot of them we can’t even implement,” Seymour said.

Archuleta, who took over as director of OPM in 2013, said that security issues don’t appear out of thin air and that she has been working to improve the infrastructure of the department since she joined OPM.

“Cybersecurity problems are decades in the making. It will take all of us to solve them,” Archuleta said. “My leadership with OPM is one that instigated the achievements and improvements that recognized the attack.”

As the hearing wore on, the committee members grew frustrated with the answers from Archuleta, Seymour, and the other witnesses in regard to why OPM’s security infrastructure was still so vulnerable after repeated warnings from its OIG and previous breaches.

“This is one of those hearings where I think that I will know less coming out of the hearing than I did when I walked in,” said Rep. Stephen Lynch (D-Mass.). “You’re doing a great job stonewalling us, but hackers, not so much.”

Discussion

My understanding is that OPM is using commercial databases, including Microsoft SQL Server and Oracle. It is likely that commercial data security products could solve the security issues 8 years ago, when the OPM compliance issues surfaced.
As early as 2000 in US, leading beverage brands and a leading investment banks encrypted sensitive information to prevent unauthorized access by root, database administrators and other users, in commercial databases including Microsoft SQL Server 2000 and Oracle 8i.
It is likely that commercial encryption products that existed in year 2000 could have prevented or significantly limited this large data breach.
Ulf Mattsson, CTO Protegrity

Authors

Threatpost

InfoSec Insider Post

InfoSec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.

Sponsored

Sponsored Post

Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.